Finding medical information in old paper files is time consuming and therefore costly. Let’s scan the lot and link it to our electronic health records! Of course at low costs. No problem in the prize fighter market of scanning companies.
Detainees working with our medical records
Recently public broadcast corporation Max broadcasted a documentary in the Netherlands on hospitals that had their paper files digitized. Preparing the files for scanning is labor-intensive: sorting, adding indexes and removing staples and paper clips. Some Dutch hospitals contracted a Belgian company because it had a good offer. The documentary also revealed why: the company had subcontracted the work to prisoners. Now a prison of course is a secure environment, but it still raises questions about privacy safeguards.
Just some thoughts:
- According to the company, the detainees have signed a confidentiality agreement, but how would you value that?
- Trade in personal data is a growing criminal market, as it is in America. Would the concerned detainees be involved?
- Assume data of VIP’s, politicians etcetera is included, would there be opportunities for blackmailing?
Good information security is dependent on awareness among the employees and the security culture in the organization. What culture regarding information security do you expect in a prison in a foreign country? This question could be broadened: what do you know about the security culture at your data processor? A processor according to a Data Protection Act, is a body which processes personal data on behalf of the controller. In your processing contract you agree on the processor handling your personal data according to the law. But despite all technical, organizational and procedural controls, as the staff of the processor has no security awareness you are at risk of a data breach. What statements do you include in the processing contract, how do you force on culture? What sanctions can you impose? Being the controller, you are and will remain in charge, even if you contract a processor.
Did the hospital know by whom their data would be processed?
Those questions you should ask yourself before you outsource the processing of personal data. Getting back to the hospitals and the scanning operation, the question emerges how carefully the outsourcing process was. Do the hospitals themselves have a security culture and adequate information security awareness? Were they aware that their data would be processed in a prison? Did they know whether adequate privacy was ensured?
The scanning company has stopped the processing of personal data by inmates because of negative perceptions in public. But they say not to be ashamed to have helped prisoners in their preparation for return to society. They indicate that employees are selected for having no “unhealthy interest in information of others.” It is also possible that the staff were reliable and broadcaster Max was doing a bit of rabble-rousing. By the way, by publishing medical data on a public Web server, the company really went wrong. No doubt about that. This is shown in the documentary too.
Detainees and privacy, and people are all astir. But silence all over about the other companies that get access to our medical data. At least it will do no harm if healthcare organizations pay attention at privacy safeguards as they contract a processor. And that is, thanks to broadcaster Max, slightly higher on the agenda.
Watch the broadcast here: http://www.omroepmax.nl/meldpunt/uitzending/tv/meldpunt-dinsdag-26-januari-2016/ (Dutch spoken)
I am co-founder of the Dutch security awareness community serving any security awareness pro who wants to be inspired by knowledge sharing colleagues.
I am a Certified Security Culture Practitioner (CSCP).